Managing allowed URLs

Tanium Cloud deployments include a customer-specific proxy server that allows the destinations that are required for Tanium solutions to work. To add allowed destinations, see Tanium Cloud Deployments Guide: Configuring network egress allow list rules in the CMP.

The URL expressions that you configure on the Administration > Permissions > Allowed URLs page control how the Tanium Server handles file downloads that the Tanium Client requests from Internet URLs. When the Tanium Client executes content (such as action packages or sensors), the script associated with that content might request a file from an Internet URL. The Tanium Client API uniquely identifies the download by URL, including file name. For security, the Tanium Client sends a message to the Tanium Server, which checks the requested URL against its lists of package file URLs and allowed URLs. The package file URLs are known URLs that the package author specified. You use the allowed URLs to account for dynamic URLs, such as URLs that a Tanium Client script computed. If the URL does not match either list, the request fails.

The first time the Tanium Server handles a Tanium Client file download request that passes the allowed URLs check, the server downloads the file and stores a temporary package file and metadata so that it can distribute the file to endpoints (see Tanium Client Management User Guide: File distribution). The allowed URLs configuration includes settings that affect how often the Tanium Server checks for changes to the requested URL files and how often the server clears temporary files.

Allowed URLs read permission is required to view allowed URLs configurations. Allowed URLs write permission is required to create, modify, or delete allowed URLs configurations. The Administrator reserved role has these permissions.

The Tanium Server and Tanium Module Server also access Internet URLs to download content. If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the servers from downloading files from these locations. For details, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

View allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.

    The page displays the settings that are described in Table 1.

  2. (Optional) To displays the identifier for each allowed URL, click Customize Columns Customize columns and select ID.
  3. (Optional) Enter a text string in the Filter items field to filter the grid by URL Expression.

Add allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Click New URL Expression.
  3. Configure the following settings and click Save.
    4.  Table 1: Allowed URL settings
    Setting Description
    URL/regular expression Specify a URL.

    To allow multiple files from a base URL, select Treat the above text as a regular expression and specify the regular expression (regex). For example, the following regex allows any download from www.microsoft.com:

    http\:\/\/www\.microsoft\.com\/.*

    Note that the value is case sensitive. For example, the regex https\:\/\/192\.0\.2\.1\/abc\.csv allows https://192.0.2.1/abc.csv but not https://192.0.2.1/ABC.csv. The regex to allow both files is https\:\/\/192\.0\.2\.1\/abc|ABC\.csv.

    When a Tanium Client initiates a download that passes this check, the Tanium Server downloads the file so that it can distribute it to Tanium Clients through the linear chain.
    Download Interval (Optional) Select Check for changes after and specify an interval at which the Tanium Server checks the URL for changes to the requested file. The default is every six hours. If the check indicates there are changes to the file, the Tanium Server updates its copy of the file and restarts the expiration clock. For URLs that are specified regular expression, a timer is maintained for each match.
    Expiration

    (Optional) Select Clean up downloaded files after and specify the interval for clearing stale files. The default is seven days. This means that the Tanium Server deletes files that it has not downloaded and that Tanium Clients have not requested in the past seven days. If a Tanium Client subsequently requests the URL, the Tanium Server downloads it again and resumes the update checks. For URLs that you specify with a regular expression, the Tanium Server maintains a timer for each match.

    To troubleshoot issues that relate to clearing stale files, see Tanium Core Platform Deployment Reference Guide: Download catalog leaner logs.

Edit allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Select an allowed URL configuration and click Edit.
  3. Update the settings that Allowed URL settings describes and click Save.

Delete allowed URLs

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Select an allowed URL configuration and click Delete Edit.

Export or import allowed URLs

The following procedures describe how to export and import specific allowed URLs or all allowed URLs.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export allowed URLs

Export allowed URLs as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the allowed URLs with the same attributes (columns) as the Allowed URLs page displays.

  • JSON: If you are assigned a role with the Export Content permission, you can export allowed URL configurations as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

Perform the following steps to export allowed URLs:

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific allowed URLs. If you want to export all allowed URLs, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All allowed URLs in the grid or just the Selected allowed URLs.

  7. Select the file Format:

    • List of Allowed URLs - CSV

    • Allowed URL Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    The Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import allowed URLs

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

    If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy allowed URL details

Copy information from the Allowed URLs page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Allowed URLs.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.